CVE-2026-10593: memory-safety in zephyrproject zephyr
CVE-2026-10593 is a medium severity vulnerability in Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client versions 4.3.0 through before 4.5.0. The flaw involves mishandling of peer-supplied ASE state notifications, leading to a NULL pointer dereference and crash (denial of service) when a remote ASCS server sends a specific GATT notification during a permitted state transition. The issue arises because the handler writes attacker-controlled QoS fields through a pointer that can be NULL under certain conditions. The defect was fixed by changing the QoS storage to a always-valid embedded structure, eliminating the NULL dereference.
AI Analysis
Technical Summary
The Zephyr Bluetooth LE Audio BAP unicast client improperly handles ASE state notifications from a connected remote ASCS server. Specifically, in the function unicast_client_ep_qos_state(), the handler writes attacker-controlled QoS parameters through a stream-qos pointer that may be NULL if the stream has been codec-configured but not yet added to a unicast group. A malicious or buggy remote server can exploit this by sending a GATT notification indicating the ASE has entered the QoS Configured state while the local endpoint remains in Codec Configured state, causing a NULL pointer dereference and crash. This vulnerability affects Zephyr versions 4.3.0 and 4.4.0 and earlier. The fix involves redirecting all BAP QoS storage to an always-valid embedded ep-qos struct, preventing the NULL dereference.
Potential Impact
Successful exploitation results in a denial of service due to a NULL pointer dereference crash in the Bluetooth LE Audio BAP unicast client. There is no impact on confidentiality or integrity, only availability is affected. The vulnerability requires network access via Bluetooth and no privileges or user interaction are needed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability was fixed by changing the QoS storage to an always-valid embedded structure, so applying the official fix when available is recommended. Until then, avoid connecting to untrusted or potentially malicious ASCS servers over Bluetooth to reduce risk.
CVE-2026-10593: memory-safety in zephyrproject zephyr
Description
CVE-2026-10593 is a medium severity vulnerability in Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client versions 4.3.0 through before 4.5.0. The flaw involves mishandling of peer-supplied ASE state notifications, leading to a NULL pointer dereference and crash (denial of service) when a remote ASCS server sends a specific GATT notification during a permitted state transition. The issue arises because the handler writes attacker-controlled QoS fields through a pointer that can be NULL under certain conditions. The defect was fixed by changing the QoS storage to a always-valid embedded structure, eliminating the NULL dereference.
CVSS v3.1
Score 6.5medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Zephyr Bluetooth LE Audio BAP unicast client improperly handles ASE state notifications from a connected remote ASCS server. Specifically, in the function unicast_client_ep_qos_state(), the handler writes attacker-controlled QoS parameters through a stream-qos pointer that may be NULL if the stream has been codec-configured but not yet added to a unicast group. A malicious or buggy remote server can exploit this by sending a GATT notification indicating the ASE has entered the QoS Configured state while the local endpoint remains in Codec Configured state, causing a NULL pointer dereference and crash. This vulnerability affects Zephyr versions 4.3.0 and 4.4.0 and earlier. The fix involves redirecting all BAP QoS storage to an always-valid embedded ep-qos struct, preventing the NULL dereference.
Potential Impact
Successful exploitation results in a denial of service due to a NULL pointer dereference crash in the Bluetooth LE Audio BAP unicast client. There is no impact on confidentiality or integrity, only availability is affected. The vulnerability requires network access via Bluetooth and no privileges or user interaction are needed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability was fixed by changing the QoS storage to an always-valid embedded structure, so applying the official fix when available is recommended. Until then, avoid connecting to untrusted or potentially malicious ASCS servers over Bluetooth to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-06-01T21:19:25.050Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a40ac0127e9c79719547621
Added to database: 06/28/2026, 05:07:13 UTC
Last enriched: 06/28/2026, 05:21:29 UTC
Last updated: 06/28/2026, 06:21:43 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.